Your Company Logo
Goes Here


Volume 1, Issue 1
February 2002

Inside this issue...

There Are No Secrets: Social Engineering and Privacy

Unmasking Social-Engineering Attacks

Protect Against Social Engineering Attacks

For additional information contact your Gartner Sales Executive or cathy.telesco@gartner.com

   Your commentary will go here.

Protect Against Social Engineering Attacks
Attackers can use social engineering principles to avoid security systems by manipulating enterprises' employees. To prevent this, enterprises should follow these guidelines.

In "There Are No Secrets: Social Engineering and Privacy" (TU-14-5662), we examined social engineering as a practice used by attackers to penetrate corporate security. Here, we offer concrete guidelines to help protect your enterprise, and yourself, against social engineering attacks.

First, start with clear, consistent, comprehensive and enforceable security policies written down in a security plan. An out-of-date or unrealistic security policy drives users to circumvent it; therefore, recognizing a real security breach becomes more difficult in the noise of noncompliance. Management, users and administrators must be trained on the policies and on general security issues. If users understand these issues, they are more likely to comply with them or note suspicious behavior. The single strongest defense against social engineering attacks is an educated employee.

Establish procedures that eliminate any exchange of passwords, and then educate users and administrators on these procedures. A systems administrator should never ask a user for his or her password, nor even be able to view any password on any system. Automated password reset and synchronization tools can lift the responsibility of managing passwords from tech support and the help desk, without placing an undo burden on end users. These tools use a series of personal questions most people can easily remember the answers to so as to authenticate the user.

Avoid using passwords or authentication questions an attacker can easily discern with a little research. Passwords or account details are frequently compromised due to inherent weaknesses or the use of weak authentication mechanisms, yet random passwords are frequently forgotten and more likely to be stored in a vulnerable location. Significant dates (like a child's birthday), Social Security numbers, names of pets, employee numbers, family member's names, mother's maiden name or addresses (current or prior) can all be discovered without too much difficulty. Even the questions used by the password reset tools should be selected to minimize the possibility of discovery by an attacker. Alternate possibilities include:

  • Combining the characters' names from unrelated films, books or television shows.
  • Using part of a well-liked, yet obscure, quote.
  • Combining significant words, names, numbers and dates that are unrelated to each other and that are too obscure to be revealed if an attacker looks into the person's background.
  • Intentionally misspelling a random word.

Of course, the most-effective method to eliminate human problems with authentication is to remove (or limit) humans from the process. Help desks will always want to be helpful, and thus remain susceptible to social engineering manipulation as long as people are involved. Strong authentication should be used in the most-vulnerable social engineering attack points. Smart cards, biometrics, caller ID, callbacks (to pre-stored numbers), location-based authentication or in-person identification can dramatically reduce the effectiveness of social engineering attacks by removing most or all of the human element.

When dealing with personal financial institutions, retailers or other organizations, you should demand the same protections as used in the enterprise. Not only can your personal finances be compromised, but someone can use this information to attack your enterprise. If your bank is unwilling to place a password on your account and insists on using your Social Security number or mother's maiden name, you might want to move to a financial institution that takes your security and privacy more seriously.

Security plans must be coordinated with physical/organization security. It's very common for terminated employees to have their building keys taken away, but to keep an e-mail account or intranet access. Many social engineering attacks depend on some kind of a physical breach; no firewall can protect a server in an unlocked closet that an attacker can access directly. Attackers won't distinguish between a physical and technical breach, they are simply focused on their goal. Poor communication among your security efforts will only aid the attacker, so clear communications channels are essential.

Core Topics
Security and Privacy: Individual and Corporate Privacy

Security and Privacy: Security Tools, Technologies and Tactics

Key Issue
How will enterprises evolve organizationally, architecturally and procedurally to respond to growing concerns over corporate and personal privacy?

Tactical Guidelines
Security awareness consists of three key elements:

  • Well-educated, security-aware employees – Education should be frequent and consistent, and can include monthly e-mail bulletins on security issues, as well as annual (or quarterly) training.
  • Clear reporting channels – Employees should have a single phone number and e-mail address to report suspicious electronic or physical activity.
  • Positive feedback – Reports should be made directly to security professionals, not any random person on the help desk. Employees should feel the information is acted on appropriately, and should receive positive feedback that they've helped improve the enterprise.

Source: Gartner Research

It's not possible to completely eliminate internal threats (e.g., disgruntled or criminal employees); however, checks and balances can limit the effectiveness of an internal attack – intentional or as a result of social engineering manipulation. Although sign-offs and authorizations shouldn't hinder operations to the point that employees will seek to circumvent them, you should implement checks and balances to limit a single person's ability to perform unwanted actions, especially where customer information, intellectual property and financial transactions are concerned. Background checks of anyone with unlimited physical access to your premises or access to sensitive information can limit the chances of "letting a fox into the henhouse," but they won't completely eliminate someone with malicious intent gaining access (especially if you ignore maintenance or cleaning staffs).

Bottom Line: Although it's just not possible to completely eliminate the threat of a social engineering attack, there are a number of steps you can take to limit its efficacy. Because social engineering is more about people than machines, the roots of all effective defenses reside in an enterprise's greatest resource – its personnel.

Gartner's Information Security Strategies Research Note TG-14-7359, 22 October 2001.

Back to Top

Entire contents © 2002 by Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.